Advice asked VISTA64 setup

Dear All,

I posted an earlier thread, explaining my initial experiences (the hassles of UAC, unsigned drivers and configuring a security setup) with Vista64. This post was more meant to be a 'fun to read' post. /www.wilderssecurity.com/showpost.php?p=1067345&postcount=1.

The beautiful about Wilders is that you get responses and information, when you put things a little sharp. So forget the tone of voice in that mail, this is a serious advice/information request.

Apologies for the lengthy introduction to the question.

First to re-cap UAC:
It is not a security mechanisme sec, it is intended as a form of authorization control improvng security. Quotes from RonJor's link:
"UAC is an attempt to enable more people to run as standard users". In siple terms you run as a limited user by default an are able to put on the "admin hat" when needed (without the need to log-on as an administrator).
"UAC was not designed to protect an application running with elevated privileges from all attacks by an application that runs with normal privileges in the same login session. While UAC does provide some weak process isolation, it was not a design goal for UAC to sandbox applications from each other."
In simple terms it does not provide the isoloation/protection programs like SSM, ProSecurity and EQSecurity offer (protectng against the other).

Main critism of this rigid (some claim it is the most annoying feature of Vista) is: "including the fact that there are too many warning dialogs, that the messages in them are useless, and that many of the manuals for whatever devices users buy include a note to "please click yes to the security warning dialog to dismiss it."
In the first two weeks of using Vista (indeed afterwards the pop-ups drop in frequency to a workable level, like Tju explained), the users a dangereous kind of behavior: "Users have learned to dismiss dialogs".

My own preferences
My prefenrences have changed from blocking everything (Anti Executable like SSM paid, EQS free, COmodo Software Firewall) to a simple line of security defense, which proved to be quite effective on two machines with deferent type of users: a hardware firewall as first level, a rights management (soft) Sandbox as second level (providing containment from threatgates) and a behavioral blocker as third layer. Yes you read it correctly no Antivrus/AntiSpyware blacklist software. The average PC skilled user got DefenseWall, A2 IDS with WinPooch registry and file protection. The high skilled PC user (makes his own website selling graphix, heavy gamer) gor CyberHawk Pro (now ThreathFire free) and GeSWall Pro. So the first one was focussed on user frendliness, the second on user frendliness and configuratiility. Thislat PC now has Vista64 (reason DirectX10 for games)

Security set up Vista64 Home premium PC.

Enabled DEP for all programs

Set UAC to 'quite mode'
Use TweakUAC or via the registry editor[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorAdmin"=dword:00000000, this will:

1 Request for elevation in execution privileges will be consented and succeed automatically, thus no prompt to user.
2 Applications will still run with limited non-admin privileges in standard user mode until the program requests the rights.
3 Legacy applications that were not designed to support standard user accounts can continue to run in standard credentials without modification using the built-in file system and registry virtualization or sandbox feature.
4 Protected Mode IE will still work.

Used outbound capabilities of Vista's default FireWall
With the free program "Vista FireWall Control", see http://www.sphinx-soft.com/Vista/

Antivirus
I used Avast, for a number od reasons.
1. It is the only free AV with the same capabilities as the paid (including some AT and AS).
2. It has seperate modules for threatgates (Internet, P2P, e-mail, etc).
3. The standard shield can be configured in detail. To enhance (gaming) performance, I have set of the 'execution' control of the standard shied' off for X32/X64 plus dynamic load options, and have set the scanner of the standaard shield to only check when files are modified, plus I have excluded the windows Temp directory and Internet Temporary directory to be excluded from to standard shield (internet shield takes care of that).
The risk involved that a zero-day threat can be installed on the system and that Avast won't recognise this infection at excecution (after update of blacklist and now having fingerprints to identity the malware). Reason: before system backup a AV scan is run on the system, so we should be able to revoke infection with a previous backup.

Antimalware
A. Anti Trojan
Comodo Boclean (free) runs on Vista64 (note start BOC425, BOCEXC and BOCore with admin rights). I have also selected the extra features to automatically "Reset Secured Zones", "Clean up hist file" and "Cleanup the Temp folder". Besides the first option all options of te right pane configuration are enabled. Boclean scans the memory, so it would partlymake up for the deliberate weakspot by not checking programs on execution of Avast standard shield.

B. Light IDS
We use WindowsDefender, but only for its limitee IDS capabilities (always display Defender and Notify when a program is detected not yet classified).

C Soft Sandbox containment
With HauteSecure beta is the only containment software available on Vista64 which provides containment.

Notes: I will replace Boclean and WindowsDefender with ThreatFire free (I have a CyberHawk Pro license) when a Vista64 bit versions becomes available.
Depending on the speed in which DefenseWall or GeSWall or HauteSecure will provide a (final) Vista64 bit version, I will decide on what (soft) Sandbox to use. My son likes the GW option to right click on a file and change its trusthwortiness.

Recap/Questions

Rootkits
As far as I understand the signed driver limitation provides a reasonable protection against rootkts, although Lucas has tipped on the following risk
http://www.channelregister.co.uk/2007/08/10/ati_driver_snafu/

I tried to change the boot configuration running in 'quite' mode, it was not able to write back the file. I also tried to unslect some drivers, security services with Autoruns (also avalable in Vista64), but also could not change that (required Admin rights). HauteSecure also blocks programs (e.g. cmd) and important registry changes (e.g. create service), so this provides some additional protection against unintended installation.

I cannot oversee the impact of the "purple pill" problem in my configuration

Malware installaton
Unintended installation should be handled because UAC is on, programs are started in limited account mode, so (I hope) Vista64 protects the kernel from unauthorised rights elevation in quite mode.
Offcourse when a program is downloaded, due to the quite mode, no pop-up is given to warn when a 'shoot in the foot' installation error is made by the admin. For real risky surfing I have made a limited account (son is 16, and we live in the Netherlands, so to my standards it is normal to expect/accept him to have risky behavior, and I prefere t deal with it rather than forbid it).

Virus Infection
Because Avast has forward reconnaissance on P2P, E-mail, Internet, Instant Messaging, we have two levels of AV defense: the intepretation of the data
in the incoming stream by the specialised Avast module and the general check of the Standard Shield when a file is written to disk (and persists, because Temp dirs are cleaned at shut down).

Test results
Zapass was not able to implant dll, neither was regtest. Trojandemo failed, TrojanSimulator got cought by Avast, After disabling Avast it got cought by Boclean. AKLT was cought by Boclean. Only PCFlank test laughed at the Windows Firewall (with the freebie to control outbound initiation Vista Firewall Control). APT could kill everything it wanted. Morgud's Threat Simulator V2 was a mixed bag. I had to disable Avast, let it pass boclean, then download screen disappeared, windows defender and avast got killed, cpu took 53% activity and nothing happened. On next startup all seemed normal. Could not get clues with autoruns either. After using the unremover (also ended with an error), I could not delete the directories, so something got stuck and I had to use system restore to remove it. ?


Please when you notice errors in my assumptions, or have tips on Vista64 or available free/pay ware (in the light of my preferences), please respond.

Thanks in advance

Kees

 

What I do with a Vista32 install which may be similar to 64.

When the desktop first comes up I go into local security policies and set to show the full blown admin account at startup.

I logon to the admin account and delete the user account you are forced to create at install.

Back to local security policies and set UAC control to elevate without prompt.

I also turn off DEP, System Restore and Paging.

Msconfig - Boot tab - Advanced Options - Number Of Processors 2, Maximum Ram 2048, tick PCI lock.

Then I add "Take Ownership" to my right click context menu.

Now I can get my Little Nash Rambler outta second gear.Beep Beep.

All my security and maintenance apps are then installed from D drive.

The apps in my sig are used with no blacklists.(Still testing Shadow Defender)

Ghost images are created/restored by booting from a ghost 2003 floppy.

I don't advocate anyone doing as I have done and I only do it because I can.

 

Nice setup Kees.
My XP real-time setup (ATM): Jetico v1 (as a service), Geswall free, Tiny Watcher (startup and shutdown). Screaming fast, quiet and strong setup. Various on-demand tools (hardening, system auditing, scanning of newly created/arrived files)

 

Thx guys,

Vista64 comes with limted options. Microsoft VirtualPC will work, I tried it with ReactOS (an opensource windows clone), but I could only connect via the cable connection. ReactOS is still in development, so I could not find a driver for my wireless card.

Regards

 

I always keep an eye over ReactOS. It looks very nice.